17.1. Introduction

Remote access is
one of Linux's great features, and there are many
ways to do it. For access over untrusted networks,
don't use those old reliable standbys, telnet or X,
because logins and data are sent in the clear. Your best bet is
OpenSSH
(Secure Shell), a suite containing a number of secure remote transfer
programs:
scp (secure copy),
ssh (Secure Shell), and
sftp (SSH file
transfer protocol).
ssh is the tool of
choice for remote system administration; with
ssh, you can log into remote systems and run
them as though you were physically there. Logins and data are
encrypted, and ssh will detect if any packets
have been altered en route. Eavesdroppers can sniff and muck with all
the packets they want—they won't get anywhere.

SSH isn't
really a shell; it's a protocol. There are two
incompatible versions of this protocol: SSH-1
and SSH-2. OpenSSH supports both. This chapter
covers SSH-2,
because you should be using a current version of OpenSSH.

SSH nomenclature can get a bit confusing. SSH, capitalized, is the
protocol. ssh, scp, and so
forth, in lowercase, are programs that use SSH. OpenSSH is the
implementation of SSH used in this chapter.

Using SSH is not very complicated. If you're used to
rsh, rlogin, or rcp, the
command syntax is pretty much the same. You'll need
sshd,
the OpenSSH daemon, running on all machines to which you want to
enable remote access, and you'll need shell accounts
on the remote machines. You can log in as any user, as long you have
the login and password.

OpenSSH uses public/private key
pairs for authentication.
Private keys are carefully guarded and
never, ever shared. Always create a strong passphrase to encrypt and
protect your private keys. A really strong passphrase is a nonsense
sentence that combines words and numbers, like "t4is
is mai 733t s3kkrit p4ssphr4se". As always, you must
strike a balance between security and usability, because you may need
to type your passphrase frequently.

Public
keys are distributed to both remote SSH clients and remote SSH
servers. For example, when you use host-key
authentication,
this means the public key of the server is stored on clients that are
allowed to access it. All SSH sessions start with host-key
authentication. Once the remote host's public key is
copied to your local ~/.ssh directory, you can
log into any user account you have access to on the remote host,
using the account logins.

If you want to use SSH keys for authentication, instead of user
account logins, you generate your own public/private key pair, and
copy your public key to all the remote hosts you wish to access. A
couple of configuration steps, which are covered in this chapter,
must be carried out to make this work. This is called
public-key
authentication.

If you're going to access a lot of remote machines,
managing logins can be difficult. Recycling the same public key and
passphrase all over the place presents a potential security problem,
but tracking a lot of different passphrases can also be trouble.
OpenSSH provides a way to avoid all this login drama, by using
public-key authentication,ssh-agent,
and keychain. These let you set up
secure, passphraseless logins.